On Mon, Sep 29 2014, Joshua Harlow wrote:
Do we know that the users (keystone, neutron...) aren't vulnerable?
From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure
seems
like we would likely still have issues if custom implementations are being
used/created. Perhaps we
Julien,
I believe all the lessons learned from defusedxml (see the release
dates) have been folded back into the different libraries. For example
plain old etree.fromstring() even without any special options is ok
with the specially crafted xml bombs that you can find as test cases
in defusedxml
On Tue, Sep 30, 2014 at 09:28:22AM +0930, Christopher Yeoh wrote:
On Mon, 29 Sep 2014 18:03:20 +0200
Julien Danjou jul...@danjou.info wrote:
It seems that Python fixed that issue with 2 modules released on PyPI:
https://pypi.python.org/pypi/defusedxml
On Tue, Sep 30 2014, Davanum Srinivas wrote:
I believe all the lessons learned from defusedxml (see the release
dates) have been folded back into the different libraries. For example
plain old etree.fromstring() even without any special options is ok
with the specially crafted xml bombs that
I agree, it sounds like option 2 is safe.
Julien, I updated your commit message on
https://review.openstack.org/#/c/125021/ to point to this thread.
Write-it-down-ly,
Doug
On Sep 30, 2014, at 7:17 AM, Davanum Srinivas dava...@gmail.com wrote:
Julien,
I believe all the lessons learned from
This was also needed for Python 2.6, right? Do we have confirmation
that we can drop that for Kilo?
-Ben
On 09/30/2014 08:28 AM, Doug Hellmann wrote:
I agree, it sounds like option 2 is safe.
Julien, I updated your commit message on
https://review.openstack.org/#/c/125021/ to point to
Yes, I think we are still on track to drop 2.6 support for the servers in Kilo.
This wasn’t used in the client libraries, right?
On Sep 30, 2014, at 10:25 AM, Ben Nemec openst...@nemebean.com wrote:
This was also needed for Python 2.6, right? Do we have confirmation
that we can drop that for
On Tue, Sep 30 2014, Doug Hellmann wrote:
Yes, I think we are still on track to drop 2.6 support for the servers in
Kilo.
This wasn’t used in the client libraries, right?
After a quick grep of the code I've around, it doesn't look being used
by anything else than Nova itself.
--
Julien
Hi,
I was looking at xmlutils today, and I took a look at the history of
this file that seems to come from a CVE almost 2 years ago.
What is surprising is that, unless I missed something, the only user of
that lib is Nova. Other projects such as Keystone or Neutron implemented
things in a
On Sep 29, 2014, at 12:03 PM, Julien Danjou jul...@danjou.info wrote:
Hi,
I was looking at xmlutils today, and I took a look at the history of
this file that seems to come from a CVE almost 2 years ago.
What is surprising is that, unless I missed something, the only user of
that lib is
Do we know that the users (keystone, neutron...) aren't vulnerable?
From https://pypi.python.org/pypi/defusedxml#python-xml-libraries it sure
seems like we would likely still have issues if custom implementations are
being used/created. Perhaps we should just use the defusedxml libraries until
On Mon, 29 Sep 2014 18:03:20 +0200
Julien Danjou jul...@danjou.info wrote:
It seems that Python fixed that issue with 2 modules released on PyPI:
https://pypi.python.org/pypi/defusedxml
https://pypi.python.org/pypi/defusedexpat
I'm no XML expert, and I've only a shallow understanding
12 matches
Mail list logo
